Reporting Cybersecurity Risk to the Board of Directors

CONTENTS

4 Introduction 4 Role of the Board of Directors 5 Cyberrisk as Strategic Risk 6 Structure of Cybersecurity Program Oversight 6 / First Line of Defense (1L) 6 / Second Line of Defense (2L) 7 / Third Line of Defense (3L) 7 Legal Concerns 7 / GDPR 8 / PCI-DSS 8 / Private Rights of Action and Class Actions 8 / Unfair Business Practices and Other Regulations 9 Threat Intelligence 9 / Attacker Profiles 9 / Industry-based Risk Profiles 10 Risk Identification and Scenario Analysis 11 Risk Measurement 12 Dashboards and Metrics 14 Capacity, Appetite and Limits 15 Cyberrisk Economics 15 / Materiality 15 / Cyberinsurance 16 / Capital Allocation 16 Peer Comparisons 16 Budgeting 17 Issues and Findings 17 Board Education and Awareness 18 Conclusion 19 Acknowledgments

ABSTRACT

Enterprise boards of directors need to understand how cybersecurity risk affects business objectives and board oversight responsibilities. Cybersecurity professionals have the knowledge that boards require but need to learn how to translate that information into business language that is useful to boards. This white paper helps risk and cybersecurity professionals to report cybersecurity risk in ways that their enterprise board of directors can understand, by providing an overview of board responsibilities and structure, a method to decompose high-level board concerns into technologically relevant (and measurable) risk scenarios, and information on cyberrisk economics.

Introduction

Cybersecurity professionals are being asked increasingly This white paper will help to lay out the landmarks that to prepare materials for and give presentations to their can be used to better understand how to adapt enterprise board of directors. Communicating priorities to cybersecurity matters for consumption by professionals any board member requires understanding the board who are less knowledgeable about technology. The goal is perspective on the subject that is being considered. This to better understand the process of reporting technology means recognizing that board members have an overall risk to the board and provide context for how to tailor their enterprise perspective that subsumes cybersecurity. messages. This white paper provides an overview of the Therefore, gaining attention (and being relevant to the role and structure of boards, and information on board) requires placing cybersecurity concerns in the presenting cybersecurity as a strategic risk, scenario context of business objectives—cybersecurity analysis, risk economics, risk appetite, metrics and practitioners need to learn how to speak the language of dashboards. These discussions help technology business. professionals to communicate cybersecurity risk in ways that businesses can understand. Role of the Board of Directors

For cybersecurity professionals to better connect their and business partners (i.e., duty of care). This governance specialized skills and roles to concerns of the board of oversight extends to ensuring that the enterprise fully directors, it is critical that professionals understand the understands its cybersecurity risk and is managing that job of a board director. The National Association of risk adequately and effectively. However, to fulﬁll these Corporate Directors (NACD), in the United States, explains responsibilities, directors need to be appropriately briefed that boards have two primary responsibilities—to oversee by the enterprise cybersecurity and risk professionals. 1 management and to advise management. 1 According to Directors understand enterprise operations, such as the United Kingdom Institute of Directors (IoD), boards ﬁnance, sales, corporate investment, risk management, have a responsibility to ensure the prosperity of an legal and audit, and have a depth of experience from 2 enterprise. 2 which they can draw to give guidance to enterprise Boards have limited ability to be involved in day-to-day operators. When boards make decisions, it is important operations, which is the role of enterprise management. that they balance short-term and long-term goal; keep Directors take an overarching and strategic vantage point operations focused on core business functions, while also to ensure the long-term prosperity and survivability of the encouraging growth and innovation; and generally enterprise. They also have a legal responsibility to provide understand the marketplace in which the enterprise effective governance oversight, to ensure that the operates. Typical board tasks include enterprise is well managed and to provide reasonable establishing/advising on vision, mission, values, strategy, protections to its customers, employees, shareholders legal/regulatory issues and corporate structure. The board

1 1 National Association of Corporate Directors, “The Role of the Board vs. the Role of Management FAQ,” 30 September 2016, https://www.nacdonline.org/insights/publications.cfm?ItemNumber=35784 2 2 Institute of Directors, “What is the role of the board?,” 25 September 2018, www.iod.com/services/information-and-advice/resources-and- factsheets/details/What-is-the-role-of-the-board

delegates specific tasks to management, which operates the Research in reputational risk reveals that cybersecurity business in alignment with board strategy and guidance. events can cause enterprises to no longer purchase from 3 an enterprise that experienced an event. 3 Because Although cybersecurity was not a typical board task in the enterprises rely on their reputations to meet their strategic past, the proliferation of IT in enterprise objectives prompted goals, anything that can negatively affect those the need for individuals with an IT background to reputations has strategic importance. Therefore, insights appropriately advise management on their technology into how cybersecurity failings can be connected to choices. As boards and shareholders become increasingly strategic objectives are key to helping boards better concerned about cybersecurity incidents, the need increases understand cybersecurity risk. for directors that understand what good cybersecurity operations look like and how they can influence them. Successfully presenting cybersecurity concerns to the board requires the ability to weave a narrative around Although cybersecurity was not a typical board task in what is occurring in the broader cybersecurity industry, the past, the proliferation of IT in enterprise objectives prompted the need for individuals with an IT background how attackers are affecting industry peers, and using to appropriately advise management on their technology metrics, financial impact and enterprise maturity to show choices. how cybersecurity events will affect the enterprise.

Cyberrisk as Strategic Risk

For long time, cybersecurity was not clearly connected to Financial impacts like that of the Wannacry attack spurred enterprise objectives. This disconnect between senior executives and boards of directors to want to know cybersecurity and the business only recently began to be if their enterprises are at risk and how these events will repaired. Breaches and ransomware events during the look if they happen in their enterprises. Although they have past three years brought into sharp focus how keen interest in understanding cybersecurity risk devastating the failure to manage cybersecurity risk can exposure, these executives and boards need a bridge be to enterprise operations. The Wannacry ransomware between cybersecurity and business. This bridge function attack in 2017 is the high-water mark in business is best ﬁlled by risk management professionals who interruption, with enterprises around the world impacted— understand the details of technology and can render these utilities, governments, universities, healthcare, technology concerns into operational and strategic manufacturing, telecommunications, transportation and matters. more. Aggregate losses from this single ransomware Presenting cybersecurity as a business issue requires event are estimated at between several hundred million some translation. Strategic risk areas are those that 4 US dollars and $4 billion. 4 affect, or are created by, the enterprise business strategy

Breaches and ransomware events during the past three and objectives. The technology-to-business translation years brought into sharp focus how devastating the goal is to capture the elements of technological failure failure to manage cybersecurity risk can be to enterprise and connect them to enterprise objectives, presented as operations. strategic risk. This process typically involves

3 3 Moody’s Investors Service, Inc., “Cyber Risk – Global: Reputational Risks From Cyberattacks Are Rising As Episodes Become More Publicized,” www.moodys.com/research/Cyber-Risk-Global-Reputational-risks-from-cyberattacks-are-rising-as—PBC_1205103 4 4 Berr, J.; “’WannaCry’ ransomware attack losses could reach $4 billion,” 16 May 2017, CBS Interactive Inc., www.cbsnews.com/news/wannacry- ransomware-attacks-wannacry-virus-losses/

decomposing cybersecurity risk into a series of interruption and fraud. Depending on the industry, this progressively decomposed loss scenarios. level may also include product security and privacy. Developing a full slate of risk that connects technology to At the top of the process, the broadest categories are business strategy requires the identiﬁcation of scenarios thematic risk; cybersecurity may be one, but credit and that can cause negative outcomes. The section about risk market risk are also at this level. At the next level, the identiﬁcation and scenario analysis describes how to categories get more granular. For cybersecurity, this may create this taxonomy. include categories such as data disclosure, business Structure of Cybersecurity Program Oversight

A board of directors typically organizes itself into several committees—some standing committees and often some Boards vary in their structures, but governance of cybersecurity operations typically comes from either the ad hoc committees. The exact charge of these risk or audit committee—and sometimes both. committees varies among enterprises, but some expectations on how different committees can The 3LoD model provides layers of management controls have an impact on cybersecurity risk reporting are to protect against risk. The model evolved in the late described here. 1990s and was codified in a 2013 paper by the Institute of 5 Internal Auditors (IIA). 5 Since then, it has become a Standing committees typically include an executive cornerstone of most risk management frameworks and is committee to oversee the chief executive, a governance 6 referenced in the ISACA Risk IT Framework. 6 committee that provides oversight to the board, a finance or budget committee that is responsible for revenues and A description of the foundation of this framework follows. expenses, and an audit committee that oversees financial reporting and disclosure. Some enterprises also have a First Line of Defense (1L) risk committee that focuses on sources of strategic, financial, compliance and operational (including These are the control and risk owners who have cybersecurity) risk. operational responsibility for managing enterprise risk. Typically, these owners include the personnel in IT that are Boards vary in their structures, but governance of responsible for the day-to-day operation of technology cybersecurity operations typically comes from either the controls. For example, business process owners set the risk or audit committee—and sometimes both. It is requirements, and IT professionals develop software and typically the role of an enterprise risk management (ERM) systems to meet those requirements. function to establish a risk governance framework to provide these committees the information they need to provide appropriate oversight. A generic design principle Second Line of Defense (2L) to accomplish this is to use the Three Lines of Defense The second line is a relatively new addition to the (3LoD) model. assurance world and encompasses risk management and

5 5 The Institute of Internal Auditors, “The Three Lines of Defense in Effective Risk Management and Control,” January 2013, https://na.theiia.org/standards- guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf 6 6 ISACA, Risk IT Framework, 2nd Edition, www.isaca.org/bookstore/bookstore-risk-digital/ritf2?cid=pr_2004614&Appeal=pr

compliance functions. The goal of the second line of lines of defense and shares roles and responsibilities of defense is to provide checks and oversight on the both. The 1.5L is typically a function assigned to IT risk responsibility of the first line of defense. This line sets the management, because it operates inside a security standards either explicitly, by publishing internal policies function and, therefore, alongside security control and standards, or implicitly, by its influence in an advisory operators. Because information risk management function and creating issues and findings. In some typically has a large scope of work, the amount of enterprises, the 2L reports independently of operations technology in use is often too much for a pure second- and directly to the chief executive officer (CEO) or the line-of-defense function to oversee. In enterprises that use chief risk officer (CRO). a 1.5L, the 2L tends to oversee checks done by the 1.5L instead of doing its own detailed checks of the first line. Third Line of Defense (3L) These lines of defense connect to the board committees to report on risk. The 3LoD traditionally aligned to the The third line of defense is the internal audit, which provides board audit committee, giving them independent independent validation of the functions of the first line and oversight of the performance of the enterprise controls. second line of defense. The 3L reports independently, As the second line of defense developed, so too did the outside of operations, and directly to the CEO. board risk committee. Thus, 2L work products are IT risk management can also have a 1.5 line of defense delivered to the risk committee in a way that is similar to (1.5L). This function sits between the first and second the 3L reporting to the audit committee. Legal Concerns Some enterprises realize that their strategic goals are tied GDPR to technology and place security requirements in contracts with third parties. Governments place similar The biggest recent cybersecurity regulation to be legal requirements on enterprises to help protect the implemented is the General Data Protection Regulation public, creating economic externalities to shift the (GDPR), which passed into law in 2016 with an marketplace towards more secure and privacy-aware implementation date in 2018. With this single law, the computing practices. number of countries that require breach notification jumped 7 from eight in 2015 to 40 in 2016. 7 As of 2020, 64 countries Boards must ensure that their enterprises are meeting require such disclosure. The more countries that require these contractual and regulatory obligations to avoid breach disclosure, the more consumers who will be made potential legal claims, including any personal liability that aware of security failings and, by extension, the less likely board members may have. As a result, connecting that the reputation of an affected enterprise will be imperiled. cybersecurity to legal and regulatory implications is critical to help ensure that the needs of the board Reporting on GDPR risk for a board does not require a are met and that board members understand lawyer. The cybersecurity professionals advise enterprises potential pitfalls. The following subsections include two on their legal risk. It is important that cybersecurity major legal frameworks—GDPR and PCI DSS—that can professionals align with the legal function in an enterprise help boards understand their legal and regulatory (internal and/or external) around the following requirements: exposure. • Data subject consent and access to personal data (right of access)

7 7 Op cit Moody’s Investors Service, Inc.

• Data subjects can request the removal of their information • Maintaining a secure system (end to end) for accepting and (right of erasure) processing cardholder data • Data subjects can object to having their data processed for • Conducting regular security testing

sales and marketing or other reasons (right to object to PCI has 12 requirements and numerous subrequirements to automated decisions) ensure a secure cardholder data environment. Penalties or • Cross-border data transfers have strict requirements restrictions on how an enterprise can accept payment cards can be a huge limitation in an enterprise executing its Not having these requirements in place creates legal risk. strategies to achieve its objectives. Board reporting on PCI GDPR ﬁnes can be the greater of either €20 million noncompliance requires connecting it to revenue goals and (US$23.8 million) or up to four percent of annual reputational harm. If customers do not feel safe using their worldwide turnover. Another GDPR requirement is to credit cards at an enterprise, revenue targets suffer. notify the supervising authority within 72 hours of identifying a reportable breach. The GDPR states that an enterprise should have processes in place to be able to Private Rights of Action and detect security breaches. However, the IBM “Cost of a Class Actions Data Breach Report 2020” shows that the average In some cases, following a cybersecurity event at an time to identify a breach is 207 days (up from enterprise, affected customers, individually or with others, 206 days in 2019) and a further 73 days to contain the can initiate legal proceedings against the enterprise, under 8 breach. 8 Therefore, there is a potential gap between how laws established by a jurisdiction. Individual lawsuits long it takes to identify a breach and the legal focus on the damage incurred by a single aggrieved party; requirements of GDPR. a class action lawsuit combines a series of grievances

represented by a single plaintiff. There is often much The GDPR states that an enterprise should have greater cumulative damage from a combined lawsuit, but processes in place to be able to detect security potentially less distraction than multiple, simultaneous breaches. lawsuits generate. Class action lawsuits are primarily a phenomenon in the United States, but they can also occur Although the GDPR is an EU law, it impacts enterprises in in Canada and some EU countries. countries outside the EU if the enterprise operates in an EU country or on behalf of a data controller in the EU that For board reporting, it is important to consider legal processes (i.e., stores, alters, utilizes, records, etc.) data defense costs, ranges of possible settlements, marketing from an enterprise that is under GDPR jurisdiction. and public relation efforts to counteract any reputational harm, and costs associated with distracted boards and PCI-DSS executives. These costs can be incorporated into risk Since 2004, enterprises that issue or process credit cards quantification efforts. are subject to the PCI-DSS contractual obligation. Although not a regulation, it exposes enterprises to Unfair Business Practices and sometimes significant financial penalties, including a Other Regulations prohibition against accepting credit cards. Key factors in If a cybersecurity event impacts products or services PCI include: offered, there can often be additional regulatory oversight. • Limiting a collection of cardholder data For example, unfair business practices cover things like deceptive marketing plans (intentional or not), outright

8 8 IBM, “Cost of a Data Breach Report 2020,” www.ibm.com/security/digital-assets/cost-data-breach-report/#/

fraud and misrepresentation. Attempting to market a (ﬁnancial services for instance) have regulations they product or service as being secure when it is not can must follow that prescribe security requirements and result in action against an enterprise by government limitations around how they represent their products and entities. Enterprises that operate in speciﬁc verticals services to customers. Threat Intelligence

It is critical that board directors understand the threats the concept is to develop a series of attacker proﬁles that that are facing their enterprises. Like all board and can be characterized in terms of access to resources and executive communications, it is important to make sure access to skill sets. Following is a sample set of threat

10 , 11 that the complex cyberthreats that are managed every communities: 10 11 day are translated appropriately to the business concerns • Nation states that are managed by the board. • Cybercriminals

This translation is of critical importance for technology • Suppliers professionals. Threat intelligence is a critical component • Hacktivists of cyberdefense and leverages paid and open-source • Privileged insiders services to provide technological insight into who is • Nonprivileged insiders attacking and what tactics, techniques and procedures These categories are not meant to identify speciﬁc (TTPs) they are employing. There are many frameworks attackers (e.g., APT28 or Fancy Bear), but, instead, to give that can be used to collect, classify and report executives a range of types of attackers that the cyberthreats, such as MITRE ATT&CK® and Lockheed enterprise might face. Such attacker groups can be

® 9 Martin Cyber Kill Chain . 9 expressed quantitatively using two variables: threat capability and threat event frequency. These variables give

Threat intelligence is a critical component of executives a vantage point into how often these threats cyberdefense and leverages paid and open-source are acting against them and how powerful an attacker is services to provide technological insight into who is attacking and what tactics, techniques and procedures when it does attack. (TTPs) they are employing. Industry-based Risk Profiles Although these models are useful, they are too complex to Some immutable qualities can contribute to an be effective for executive and board communication. enterprise threat profile. People intuitively understand that Instead, categorizing the attackers and the attack types is operating in certain industries can have more risk than in very useful for giving executives an understanding of who others. Sutton’s Law states that the reason to rob a bank is attacking and what they are using to attack. is that is where the money is located. Cybercrime against financial service enterprises is well known. Attacker Profiles Nation-state action against government contractors Constructing attacker profiles is a critical part of a threat and the intelligence community (IC) at large is also well communication plan. Attribution is not the goal—instead, known.

9 ® 9 Lockheed Martin Corporation, “The Cyber Kill Chain ,“ www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html 10 10 Freund, J.; J. Jones; Measuring and Managing Information Risk: A FAIR Approach, Portsmouth, NH, Butterworth-Heinemann, 2014 11 11 Freund, J.; S. Fritts; J. Marius; “Using Data Breach Reports to Assess Risk Analysis Quality,” ISSA Journal, February 2016, vol. 14, issue 2, https://issa- cos.org/wp-content/uploads/2016/02/ISSA_Journal_February_2016.pdf

Two factors that are necessary to communicate to boards The second factor measures how likely threat and executives regarding their industry risk are target value communities are to take action against the enterprise. and probability of attack by various threat communities. Industry classification systems, such as the North Creating an inventory of relevant data types, finances and American Industry Classification System (NAICS) and 12 other information assets that might be of value to attackers Standard Industrial Classification (SIC), 12 can show the is a useful exercise. This list doubles as the enterprise list of board where the enterprise fits alongside peers and how it crown jewels, which deserve special protection. fares across all other industries. Risk Identification and Scenario Analysis

Risk identification is more than simply identifying a • Strategic Objective 1: Increase percentage of customers that potentially bad thing. It requires a combination of use more than one enterprise product by 40 percent systematic thinking and creativity to imagine an entire • Risk to Objective 1 (filtered for cybersecurity): series of failings. To build out these connections – Layer 1—External fraud between the highest and lowest levels of an enterprise – Layer 2—Systems security requires the decomposition of high-level board – Layer 3—Hacking concerns into technologically relevant (and measurable) – Layer 4—Credential stuffing, privilege escalation, scenarios. lateral movement, etc. • Strategic Objective 2: Increase sales in North American market To accomplish this, many risk professionals use labels to by 15 percent describe the level of decomposition with which they are • Risk to Objective 2 (filtered for cybersecurity): working. Building an enterprise risk taxonomy can be – Layer 1—Business disruption accelerated by leveraging the BASEL II loss event type – Layer 2—Systems 13 classifications. 13 This framework was originally – Layer 3—Software established as a regulatory tool for financial services; – Layer 4—Ransomware however, this breakdown of risk types is very executive-friendly and is often already familiar to them. The upper layers tend to be less technologically specific Risk type categories include fraud, hacking and but are helpful when trying to label and classify risk from business disruption. all sources in an enterprise. For example, Objective 2 risk may also include things like natural disasters and The first step is to identify a business strategy and then pandemics at layers 1 and 2 (in BASEL II terms: damage decompose it into the series of cybersecurity failings that to physical assets and workplace safety, respectively). can prevent it from succeeding. A typical chain of risk decomposition (i.e., risk taxonomy) using this approach Figure 1 shows a simplified example of this 14 follows. decomposition. 14

12 12 NAICS Association, “NAICS & SIC Identiﬁcation Tools,” www.naics.com/search/ 13 13 BIS, “OPE - Calculation of RWA for operational risk,” www.bis.org/basel_framework/chapter/OPE/30.htm 14 14 Freund, J.; “Communicating Technology Risk to Nontechnical People: Helping Enterprises Understand Bad Outcomes,” ISACA Journal, vol. 3, 2020, https://www.isaca.org/resources/isaca-journal/issues/2020/volume-3/communicating-technology-risk-to-nontechnical-people

FIGURE 1: Decomposition of Scenario Analysis

Business Scenarios IT Scenarios Overall

Data Loss and Theft ꞏ Theft of data from Privileged insiders leverage critical applications legitimately granted ꞏ Data sent to the wrong credentials to steal data from customer critical applications.

Data Reliability ꞏ Financial data not reliable ꞏ Asset inventories compromised Cybercriminals compromise customer portal to access PII. Systems Availability ꞏ Critical systems offline > 1 hour ꞏ Back-end transaction processing delayed > 8 hours Manual processes lead to data being sent to the wrong customers. Fraud ꞏ Credit card processing compromised ꞏ Purchase-order fraud

Risk Measurement

After the scenarios are articulated using decomposition, methodology, such as the factor analysis of information measuring them becomes a straightforward task. Presenting risk (FAIR), can enable the economic representation of a full slate of risk scenarios to the board is not beneficial until cybersecurity risk that is sorely missing in the boardroom, 15 the scenarios are ordered and prioritized using quantitative but can illuminate cybersecurity exposure. 15 measurement that is in a familiar format for executives. The Too many risk presentation methods use ordinal scale members of board committees are adept at managing measures, which have inherent limitations and can be financial measurements. The more a risk-management detrimental to good management. Such scales typically measurement resembles the financial statements and represent risk as a value from 1 to 5, for example. The income projections that the board typically sees, the easier it actions that the board needs to take are difficult to is for board members to manage cybersecurity risk. envision with a descriptor like risk factor 3. Measuring each of the risk scenarios that is articulated in the previous taxonomy by using measures of economic Too many risk presentation methods use ordinal scale impact is the best way to provide prioritization for board measures, which have inherent limitations and can be detrimental to good management. directors. Using a cybersecurity value at risk (VaR)

15 15 Op cit Freund, J.; J. Jones

Measuring cybersecurity risk using FAIR requires a fully overall loss distribution model. This model shows a formed risk scenario that allows for measurement of the range of possible losses if a cybersecurity event following: materializes. An example of such a loss distribution

• How often threat agents act against an asset model is shown in ﬁgure 2, which represents the • How much resistance the control environment offers money that an enterprise may lose if a particular • How much loss can occur if they are successful. scenario materializes.

FAIR asks that each variable be estimated three times, to Because there are numerous scenarios at the L4 level, it is represent a best case (5th percentile), worst case (95th not feasible to escalate all of them to the board. Instead, percentile) and a most likely (mode) value. These three the strategy should be to choose exemplar scenarios to estimates are input to a Monte Carlo function that represent each aggregate category. A good way to creates a distribution of possible values for each input present these scenarios and metrics to executives is variable and then combines them to create an through a dashboard.

FIGURE 2: Monte Carlo Loss Distribution Output from a FAIR Calculation

24% 22%

19%

12% 11%

5% 3% 2% 0% 1% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%

39228781 52775697.8 66322614.6 79869531.4 93416448.2 106963365.0 120510281.8 134057198.6 147604115.4 161151032.2

Dashboards and Metrics

Combining risk quantification into a board-friendly event loss value (as opposed to annualized) is easier to presentation requires some abstraction. Fortunately, understand and does not require probabilistic understanding. decomposing risk scenarios allows for easy The most likely value (mode) from the previous loss representation. Figure 3 shows a clear and concise report distribution is a good representative value to use in this that can represent enterprise risk to a board. graph. However, a value at the 95th percentile might be helpful for communicating a worst-case scenario. In figure 3, there are four high-level scenarios—data loss and theft, data reliability, systems reliability and fraud. An Each of these categories of cybersecurity risk can be aggregate amount of risk is associated with each scenario. decomposed down to the next level, as illustrated For communication and accessibility purposes, a single loss- in figure 4.

FIGURE 3: High-Level Board Cyber Loss Report

$500M

$400M

$200M

$225M $175M

$50M $85M

Data loss and theft Data reliability Systems reliability Fraud

FIGURE 4: Decomposed Board Cyber Loss Report

L3 – Data Theft from L1 – Data Loss and Theft L2 – Data Theft from Crit Apps Prod 1 Apps

$2B

Privileged insiders leverage legitimately granted credentials to steal data from critical applications in . $200M

$175M $175M $175M $125M $50M $90M $50M

The L1 – Data Loss and Theft risk category is derived becomes the example that is representative of the risk from a measurement of the risk in critical enterprise associated with the L1 risk scenario. products and services. The L3 scenario shows the highest-rated risk among these key scenarios. The Further decomposing the L3 scenario for that product highest-risk scenario across all the products and services establishes a series of metrics, as illustrated in ﬁgure 5.

FIGURE 5: Cybersecurity Risk-Aligned Board Metrics

Metric Thresholds (G/Y/R) Value Trend

KRI: Percent of applications with 10% <= 12% <= 15% 17% risk scenarios that exceed limit

KRI: Number of applications 2% <= 5% <= 8% 1% with open audit issues

KPI: Percent of applications that completed annual risk 99% >= 97% >= 95% 97% assessment

KCI: Percent of endpoints with 99% >= 97% >= 95% 99% updated DLP agent

KCI: Percent of applications with 99% >= 97% >= 95% 99% validated quarterly entitlements

These metrics can help to establish actions that boards series of control failures or gaps that can be prioritized for and executives can take in response to risk that is remediation. Generating actions for any of these unacceptable. For example, in the ﬁrst metrics quantitative risk assessments requires thresholds that (applications that exceed limits), the recommendation is a drive action. Capacity, Appetite and Limits

The concept of risk appetite can cause much confusion. • Capacity—Maximum level of risk at which an enterprise can Using key risk indicator (KRI) metrics to serve as an operate, while remaining within constraints implied by capital appetite is a mismatch of data and purpose. For example, and funding needs and its obligations to stakeholders using something like record count as a measure of risk (Enterprises should not operate at this level..) 16 has problems in implementation. 16 What happens when • Appetite—Level of risk at which the enterprise is willing to the record limit is reached? Are those records removed operate, but necessitates immediate escalation and action from the environment? Or, is it a lagging measure that can (Also known as tolerance.) only be taken after a negative event has occurred? • Limits—Thresholds and triggers

Instead, it is advisable to establish three thresholds that Applying these thresholds determines whether each drive different actions and represent a different level action is necessary for the board and is helpful of risk to the enterprise. The three categories are capacity, for making other ﬁnancial decisions related to 17 appetite and limits (ﬁgure 6): 17 cybersecurity.

16 16 Freund, J.; “Problems With Using Record Count as a Proxy for Risk,” @ISACA, vol. 19, 14 September 2020, www.isaca.org/resources/news-and- trends/newsletters/atisaca/2020/volume-19/problems-with-using-record-count-as-a-proxy-for-risk 17 17 Deloitte, “Risk appetite frameworks: How to spot the genuine article,” 2014, www2.deloitte.com/content/dam/Deloitte/au/Documents/risk/deloitte-au- risk-appetite-frameworks-ﬁnancial-services-0614.pdf

FIGURE 6: Capacity, Appetite and Limits on Board Cyberrisk Report

L3 – Data Theft from L1 – Data Loss and Theft L2 – Data Theft from Crit Apps Prod 1 Apps

Capacity $2B Undesirable: Privileged insiders Needs escalation leverage legitimately granted credentials to steal data from critical applications in . Appetite $200M Acceptable: Monitor $175M $175M $175M $125M Limit $50M $90M Desirable $50M

Cyberrisk Economics

Several governance activities can be enabled by assessments previously outlined, a comparison can be measuring and reporting cybersecurity risk in financial made between the amount of expected loss and whether terms. Each of these has a role in determining the right such a loss is financially material to the enterprise. In risk treatment decision. The board responsibilities for many cases, such a loss is considered significant and protecting the enterprise depends on the directors may warrant a material disclosure, regardless of whether understanding whether the enterprise is well-capitalized it is financially so. Further, such a materiality threshold is for regular negative events and worst-case events. Doing likely to have a great influence on decisions to set risk this properly includes exercises to measure materiality, appetite and limit thresholds for comparison. insurance and capital allocation. Cyberinsurance Materiality Boards are also interested in knowing if they have the correct amount of cybersecurity risk insurance coverage It is important for the board directors to understand how in place. For these types of assessments, it is helpful to financially material a cyberevent will be to an enterprise. know how much loss the enterprise may face. Many measures of materiality tend to be fairly subjective Cybersecurity risk quantification exercises are extremely in nature; however, some research suggests that using a helpful in determining loss potential. value between two percent and 10 percent of gross revenue is a reasonable threshold against which to For insurance purposes, a tail value can be far more 18 compare cyberloss estimates. 18 Based on the helpful than a most-likely one. For boards, casting an

18 18 Freund, J.; “Engineering Economic Externalities: Methods for determining material cybersecurity ﬁnes,” Society of Information Risk Analysts, 2020, https://societyinforisk.org/SIRACon-2020#Jackfreund20

assessment, like a pseudo-stress test, can be helpful in severely adverse financial impacts to the enterprise. setting the context. The purpose is not necessarily to These are called capital reserves and effectively serve as insure against all cybersecurity losses, but to limit the a rainy-day fund. Many of these requirements were extreme values at the tail and their impact on the established or enhanced after the global financial enterprise balance sheet. Reporting potential risk losses crisis of 2007 to 2008, and there are formal to the board, accounting for insurance reductions, helps stress-testing exercises that help financial services board members to understand if they are over-insured, enterprises to determine how much capital to set aside. under-insured, or properly managing their risk posture. These tests include operational and cybersecurity risk. Even if an enterprise does not have specific Capital Allocation capital allocation requirements, it is prudent to Certain enterprises have regulatory requirements to consider setting money aside, depending on the ensure that they have money set aside in case there are enterprise risk culture. Peer Comparisons

Many boards and executives are curious about how their quantification efforts that are required for effective board enterprise compares to their peer enterprises, not only in communication are not done at the lower maturity levels cybersecurity loss potential, but also the maturity of their of the CMMI model. control measures. Most concerns focus on where the enterprise performs worse than its peers and what is Further, many of the quantification efforts that are needed to close the gap. required for effective board communication are not done at the lower maturity levels of the CMMI model, as Most enterprises looking for a peer comparison use a specific quantitative elements are prescribed at level 4. third party to provide such measures. This comparison typically includes an assessment of enterprise maturity, Other peer comparisons can be done using global scales, 19 measured on a CMMI scale from 0 to 5. 19 Although these such as the one being developed by Moody’s Investor scales are widely used, they have the aforementioned Services, which has been considering global scales in

20 , 21 ordinal scale limitations. Further, many of the their credit-scoring methodology for several years. 20 21 Budgeting

The board often has conversations about funding. Boards compared to overall technology spending, with a target may ask introspectively if they are spending enough goal, for example, 10 percent, is a typical comparison to 22 money on cybersecurity. Often, basic comparisons peer enterprises. 22 It is diﬃcult to make absolute against peers are done. The ratio of security spending comparisons, because enterprises allocate funding for

19 19 ISACA, “CMMI Levels of Capability and Performance,” CMMI Institute, https://cmmiinstitute.com/learning/appraisals/levels 20 20 Williams, R.; “Credit implications of cyberattacks will hinge on long-term business disruptions and reputational impacts,” Moody’s Investors Service Inc., 28 February 2019, www.moodys.com/research/Moodys-Credit-implications-of-cyberattacks-will-hinge-on-long-term—PBC_1161216 21 21 Fazzini, K.; “Moody’s is going to start building the risk of a business-ending hack into its credit ratings,” CNBC, 12 November 2018, www.cnbc.com/2018/11/12/moodys-to-build-business-hacking-risk-into-credit-ratings.html 22 22 Bernard, J.; D. Golden; M. Nicholson; “Reshaping the cybersecurity landscape,” Deloitte Insights, 24 July 2020, www2.deloitte.com/us/en/insights/industry/ﬁnancial-services/cybersecurity-maturity-ﬁnancial-institutions-cyber-risk.html

security expenses in different ways. For example, some However, presenting such incremental spending in terms enterprises pay for network device security through their of potential economic cybersecurity losses is helpful in IT budget as opposed to their security budget. drawing a straight line from loss exposure that has crossed deﬁned thresholds (appetite and limit), to the The ratio of security spending compared to overall systems supporting the products and services, and to the technology spending, with a target goal, for example, compromised technological controls that are causing this 10 percent, is a typical comparison to peer enterprises. excess loss exposure. In general, these ratio comparisons offer a limited argument It is critical that such straight-line arguments allow for a when trying to justify additional spending. For example, if the follow-up to show that loss exposure was reduced. It is enterprise has a real need for an updated logging and important that the loss amount (quantitatively) shows a monitoring solution, including software, hardware and reduction after the money is allocated, controls are staﬃng, the argument that peers spend three percent more implemented and assessments are updated, in a is likely to fail to get additional spending. subsequent board report. Issues and Findings

Sometimes, enterprises want to escalate missing, failed or broken controls directly to boards. Many enterprises It is important that IT organizations align their top risk concerns reports with risk scenarios and not with mistakenly designate these issues as risk and place them missing, failed or broken controls. in their risk register. In most cases, such voluminous lists are not appropriate for inclusion in board reports, which Translating these broken and missing controls into may include a list of top risk concerns. It is important that strategic risk management requires a risk practitioner to IT organizations align their top risk concerns reports with avoid confusing security terminology. Leveraging the risk scenarios and not with missing, failed or broken nomenclature in the FAIR methodology provides controls. Identifying cybersecurity as a strategic concern additional clarity to distinctions between risk, threat and 23 and applying it to patching is a critical activity, but a list of vulnerability that are helpful to boards. 23 When asked for missing patches does not communicate a strategic top risk concerns, cybersecurity professionals should not concern. Instead, those missing patches should be provide lists of control vulnerabilities, attack types and aligned to scenarios that provide a bottom-up view and, other maturity-based gaps. Instead, they should translate when aggregated, support the high-level assessment of those concerns into risk scenarios and tie them to critical organizational risk. functions in the enterprise. Board Education and Awareness

Another element that is often included in board understand the particular threat actors, industry proﬁle presentations is general cybersecurity education and and risk posture facing the enterprise. However, there is security awareness. These can include helping directors value in selected storytelling to help directors understand

23 23 Op cit Freund, J.; J. Jones

issues in the broader security industry. Directors read the cannot happen in the enterprise. Lastly, some enterprises news and are aware of major cybersecurity incidents. It is provide their board members with internal security helpful to be conversant in these stories and to be able to awareness training, such as including them in phishing offer comparisons to the enterprise. A board director is tests to prepare them for attempts to compromise concerned with relatability, and why an event can or systems and access sensitive information. Conclusion

Communicating cybersecurity risk to the board of that are aligned to those financial flows. Those scenarios directors requires an individual to be conversant in can be broken down into quantitatively valid and technology and business. This ability starts with accessible financial assessments that the board can understanding the concerns of the board and its role in leverage to adjust spending and take advantage of risk ensuring the longevity of the enterprise. It is imperative to transfer devices to manage the enterprise and ensure its understand how money flows through the enterprise and longevity. Cybersecurity board reporting is increasing, and how technology systems support that money flow. more technology professionals will be asked to adjust their skill sets to respond. Articulating cybersecurity risk to the board requires the need to establish a taxonomy of cybersecurity scenarios

Acknowledgments

ISACA would like to recognize:

Lead Developer Board of Directors Jack Freund, Ph.D. Tracey Dedrick, Chair Brennan P. Baybeck CISA, CRISC, CISM, CGEIT, Former Chief Risk Oﬃcer, Hudson City CISA, CRISC, CISM, CISSP CDPSE, CISSP Bancorp, USA ISACA Board Chair, 2019-2020

VisibleRisk, USA Rolf von Roessing, Vice-Chair Vice President and Chief Information Security Oﬃcer for Customer Services, CISA, CISM, CGEIT, CDPSE, CISSP, FBCI Oracle Corporation, USA Expert Reviewers Partner, FORFA Consulting AG, Mike Hughes Switzerland Rob Clyde CISM CISA, CRISC, CGEIT, MIoD Gabriela Hernandez-Cardoso ISACA Board Chair, 2018-2019 Prism RA, United Kingdom Independent Board Member, Mexico

Independent Director, Titus, and Executive Jack Jones Pam Nigro Chair, White Cloud Security, USA CISA, CRISC, CISM, CISSP CISA, CRISC, CGEIT, CRMA Chris K. Dimitriadis, Ph.D. RiskLens, USA Vice President–Information Technology,

CISA, CRISC, CISM Linda Kostic Security Oﬃcer, Home Access Health, USA ISACA Board Chair, 2015-2017

CISA, CISSP, Doctor of IT-Cybersecurity & Maureen O’Connell Group Chief Executive Officer, INTRALOT, Information Assurance, PRMIA Complete Board Chair, Acacia Research (NASDAQ), Greece Course in Risk Management, George Former Chief Financial Officer and Chief Washington University Administration Officer, Scholastic, Inc., Citi, USA USA

Katsumi Sakagawa David Samuelson CISA, CRISC Chief Executive Oﬃcer, ISACA, USA

Japan Gerrard Schmid

Dirk Steuperaert President and Chief Executive Oﬃcer, CISA, CRISC, CGEIT Diebold Nixdorf, USA

IT In Balance, Belgium Gregory Touhill

Alok Tuteja CISM, CISSP CRISC, CGEIT, CIA, CISSP President, AppGate Federal Group, USA

BRS Ventures, United Arab Emirates Asaf Weisberg

Prometheus Yang CISA, CRISC, CISM, CGEIT CISA, CRISC, CISM, CFE Chief Executive Oﬃcer, introSight Ltd., Standard Chartered Bank, Hong Kong Israel

Lisa Young Anna Yip CISA, CISM, CISSP Chief Executive Oﬃcer, SmarTone Axio, USA Telecommunications Limited, Hong Kong

About ISACA

For more than 50 years, ISACA® (www.isaca.org) has advanced the best 1700 E. Golf Road, Suite 400 talent, expertise and learning in technology. ISACA equips individuals with Schaumburg, IL 60173, USA knowledge, credentials, education and community to progress their careers and transform their organizations, and enables enterprises to train and build Phone: +1.847.660.5505 quality teams. ISACA is a global professional association and learning organization that leverages the expertise of its 145,000 members who work in Fax: +1.847.253.1755 information security, governance, assurance, risk and privacy to drive Support: support.isaca.org innovation through technology. It has a presence in 188 countries, including more than 220 chapters worldwide. Website: www.isaca.org

DISCLAIMER

ISACA has designed and created Reporting Cybersecurity Risk to the Board of Directors (the “Work”) primarily as an educational resource for professionals. Provide Feedback:

ISACA makes no claim that use of any of the Work will assure a successful https://www.isaca.org/reporting- outcome. The Work should not be considered inclusive of all proper cyberrisk-to-bod information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same Participate in the ISACA Online results. In determining the propriety of any speciﬁc information, procedure or Forums: test, professionals should apply their own professional judgment to the https://engage.isaca.org/onlineforums speci ﬁc circumstances presented by the particular systems or information Twitter: www.twitter.com/ISACANews technology environment. LinkedIn: www.linkedin.com/company/isaca RESERVATION OF RIGHTS Facebook: © 2020 ISACA. All rights reserved. www.facebook.com/ISACAGlobal Instagram: www.instagram.com/isacanews/

Reporting Cybersecurity Risk to the Board of Directors